Impact map for designing secure socio-technical systems with cultural dimensions
This repository contains a table that specifies the detailed impact map for the identification of impacts of cultural dimensions on security requirements, for socio-technical systems. The impact map has been created analysing the semantic of each cub-cultural dimensions and each security requirements and using the experience of the authors as security experts and behavioural cyber psychologists. Some cells of the table are marked with the following symbols: ~ “++”: a strong positive impact of the cultural dimensions to the security requirement. The cultural dimension will promote behaviours that enforce the security requirements. For example, high level of “UA” has a strong positive impact on the availability security requirement, since planning (behaviour associated with high levels of UA) will increase chances that a service/resource is fulfilled every time it is requested. ~ “+”: a positive impact of the cultural dimension. The cultural dimension has a mild positive impact that may promote certain behaviours that help enforcement security requirements. It likely not promotes behaviours against the security requirements. For example, high levels of the “indulgence/restrained” dimension will help enforce confidentiality, since this dimension is associated with freedom of speech and speaking freely, therefore high values will encourage to accept constraints (that are derived from confidentiality requirements) that limit the information reveal to unauthorised people. ~ “-”: a negative impact of the cultural dimension. The cultural dimension has a limited negative impact on the security requirements that may promote some behaviours that prevent the fulfilment of security requirements. For example, a high level of “Power distance” has a negative impact on confidentiality, since people that occupy the higher ranks of the hierarchy will not (or less) be subjected to rules allowing them to avoid following access control rules. ~ “- -”: a strong negative impact of the cultural dimension. In this case the cultural dimension will lead to behaviours that may create security breaches and violate the security requirements. For example, high level of collectivism has a negative impact on separation of duties since a strong group identity may lead to task sharing, a behaviour that directly violates the security requirements. Moreover, people might easily fall victim to social engineering attacks. If a cell is marked, a short rational behind the choice is provided. For cells that are not marked, no impact relation has been identified.